Overview
A supply chain attack targeting Klue, a competitive intelligence SaaS platform, has expanded beyond its initial scope — with additional victim organizations coming forward after attackers used stolen OAuth tokens to exfiltrate data from their Salesforce environments. The threat actor group known as Icarus has begun publicly leaking portions of the stolen data, accelerating pressure on affected companies to respond.
What Happened
The attack chain began with a compromise of Klue's infrastructure. Attackers gained access to OAuth tokens that Klue held on behalf of its customers — tokens originally issued to allow Klue to integrate with those customers' Salesforce orgs for data ingestion and competitive intelligence gathering.
Rather than targeting Salesforce directly, the attackers exploited the trust relationship between Klue as an authorized OAuth application and its customers' Salesforce environments. Using the stolen tokens, they authenticated to multiple Salesforce customer orgs and extracted data without triggering standard credential-based alerts.
Attack Chain Summary
Klue (vendor) breached
↓
OAuth access tokens stolen
↓
Tokens used to authenticate to customer Salesforce orgs
↓
CRM data, sales records, and customer PII exfiltrated
↓
Icarus threat actor publicly leaks harvested data
Icarus Threat Actor
Icarus is a financially motivated threat group that has demonstrated a pattern of targeting third-party vendor OAuth integrations to pivot into high-value SaaS environments. Rather than engaging in ransom negotiations, Icarus publicly releases stolen data — either to damage victims' reputations, compel payment through public pressure, or sell access on dark web marketplaces.
The group's use of OAuth token abuse is a hallmark of modern supply chain attacks where legitimate API credentials provide the same level of access as the original authorized application, but without triggering multi-factor authentication challenges or suspicious login alerts.
Scope and Impact
While the full list of affected organizations has not been publicly confirmed, multiple Klue customers have reported:
- Unauthorized access to Salesforce CRM records
- Exfiltration of customer contact data, pipeline records, and account information
- Data appearing in Icarus leak forums and dark web channels
The attack highlights a systemic risk in vendor OAuth delegation: when a SaaS vendor holds OAuth tokens granting broad API access to customer platforms, a single breach of that vendor can cascade into dozens of downstream compromises.
What Salesforce Customers Should Do
Immediate Steps
-
Audit connected OAuth applications: In Salesforce Setup, navigate to Connected Apps OAuth Usage and review all third-party apps with active tokens. Revoke any that are unexpected or belong to vendors you no longer use.
-
Revoke Klue's OAuth tokens: If your organization uses or used Klue's Salesforce integration, immediately revoke Klue's connected app authorization and rotate any API credentials.
-
Review Salesforce audit logs: Check the Login History and Setup Audit Trail in Salesforce for API access from unusual sources or during off-hours, particularly from OAuth-based authentication events.
-
Enable IP allowlisting: Configure Salesforce to restrict API access to known IP ranges, reducing the effectiveness of stolen tokens used from attacker infrastructure.
-
Monitor for data leaks: Set up alerts for your organization's data appearing in breach databases or dark web leak sites.
Longer-Term Hardening
- Apply least-privilege OAuth scopes: Ensure third-party integrations are granted only the minimum Salesforce scopes required for their function — not broad
fullorapipermissions. - Implement token rotation: Require OAuth refresh tokens to expire and be rotated regularly.
- Vendor security assessments: Before granting OAuth access to third-party vendors, verify their security posture and breach notification procedures.
- Conditional access policies: Leverage Salesforce's Connected App policies to enforce device trust, IP ranges, and session duration limits on third-party integrations.
The Broader Supply Chain OAuth Risk
This incident follows a well-established pattern seen in other supply chain attacks: attackers increasingly target the seams between trusted applications rather than trying to breach well-defended enterprise perimeters directly. When organizations grant OAuth access to vendors, they extend a degree of implicit trust that, if compromised, bypasses many conventional security controls.
Organizations should treat third-party OAuth grants with the same scrutiny applied to privileged service accounts — with regular reviews, minimal scopes, and rapid revocation capabilities built into incident response playbooks.